Contributed by Jackson Raymond Schipke, Connecticut, 3L Roger Williams University Law School
Connecticut’s data breach statute is a wolf in sheep’s clothing. That statute’s definition of “breach of security” is overbroad, encourages over-notification, and undermines the goal of protecting consumers from identity theft. In Connecticut, notification is triggered by mere access of personal information, a statutory feature that encourages over-notification. Over-notification refers to a Boy-Who-Cried-Wolf-like phenomenon. Specifically, when consumers receive many notices of breaches that do not result in identity theft, notices of high-risk breaches will be ignored because the “average” data breach poses no risk of harm – a result that clearly undermines the statute’s consumer protection goals.
Importantly, Connecticut’s data breach law only applies to Connecticut businesses. Therefore to the extent that data breach notices damage a business’s reputation (which they surely do) Connecticut businesses are placed at a disadvantage to similarly situated businesses in other states due to the greater frequency of required disclosure of breaches. Under Connecticut’s regime of over-notification consumer backlash ceases to be a free market force that rightfully punishes businesses that have exposed their customers to identity theft, thus making consumer backlash in this context an artificial, ineffective, and frankly unfair market force. While fully in line with Connecticut’s well-earned reputation as anti-business, this negative effect is likely unintended and certainly does not further the statute’s consumer protection policy goals.
Connecticut’s regime of over-notification fails to apprise consumers to notices of true threats to their financial security, which at best makes the statute ineffective and at worst puts consumers at greater risk of identity theft. The policy goal should be to provide more effective notice in the form of less volume and more substance. Such legislation needs to be re-drafted to optimize consumer protection while minimizing unnecessary harm and cost to Connecticut businesses. Until then, breach notices will continue to cry-wolf to Connecticut’s consumers, and Connecticut businesses will suffer under a law that is, in its effect, anti-consumer and anti-business.